A data processing apparatus is provided which uses flag circuitry (174) to set an access tracking flag (SFPA) to a first value when the processing circuitry (154) enters a secure mode in association with a function call and to switch the access tracking flag to a second value upon detection of a first access of at least one type to predetermined state data, such as floating point register data, by processing circuitry operating in the secure mode in association with that function call. This access tracking flag may then be used in association with a lazy-protection program instruction (VLSTM) and a lazy-load program instruction (VLLDM) to control whether or not push operations of the state data and restore operations of the state data are performed in order to prevent access in the non-secure mode to that state data.
|
25. A method of processing data comprising:
performing processing in one of a first security mode and in a second security mode;
providing an access tracking flag having a first value when processing circuitry enters said first security mode in association with a function call; and
switching the access tracking flag to a second value upon detection of a first access of at least one type to predetermined state data by the processing circuitry when operating in said first security mode in association with said function call.
1. Apparatus for processing data comprising:
processing circuitry to operate in a first security mode and in a second security mode; and
flag circuitry to provide an access tracking flag having a first value when the processing circuitry enters the first security mode in association with a function call, wherein the processing circuitry is configured to switch said access tracking flag to a second value upon detection of a first access of at least one type to predetermined state data by the processing circuitry when operating in said first security mode in association with said function call.
2. Apparatus as claimed in
set said access tracking flag to said first value upon entry to said first security mode and to change said access tracking flag from said first value to said second value upon detecting said first access independent of whether said processing circuitry is operating in said first security mode or in said second security mode;
set said access tracking flag to said first value upon entry to said first security mode and to change said access tracking flag to said second value upon detecting said first access and that said processing circuitry is operating in said first security mode; and
set said access tracking flag to said first value upon entry to said second security mode and to change said access tracking flag to said second value upon detecting said first access and that said processing circuitry is operating in said first security mode.
3. Apparatus as claimed in
4. Apparatus as claimed in
6. Apparatus as claimed in
secure state protection circuitry to trigger a protection response in respect of said predetermined state data when at least:
said processing circuitry is operating in said second security mode;
said access tracking flag had said second value when operating in said first security mode before switching to said second security mode in association with a function call; and
said processing circuitry attempts to access said predetermined state data, wherein
said protection response comprises clearing a first subset of said predetermined state data.
7. Apparatus as claimed in
8. Apparatus as claimed in
said access tracking flag has said second value; and
said lazy-protection program instruction is executed.
9. Apparatus as claimed in
10. Apparatus as claimed in
a dedicated protection flag; and
said access tracking flag.
11. Apparatus as claimed in
12. Apparatus as claimed in
said processing circuitry is operating in said first security mode; and
said protection flag has said value indicative of triggering of said protection response.
13. Apparatus as claimed in
14. Apparatus as claimed in
said processing circuitry is operating in said first security mode; and
said protection flag has a value other than indicative of triggering of said protection response.
15. Apparatus as claimed in
said processing circuitry is operating in said first security mode; and
said protection flag has a value other than indicative of triggering of said protection response.
16. Apparatus as claimed in
17. Apparatus as claimed in
18. Apparatus as claimed in
20. Apparatus as claimed in
21. Apparatus as claimed in
22. Apparatus as claimed in
said lazy-load program instruction loads said predetermined state data from said stack memory;
said lazy-load program instruction clears said preparing of said state protection circuitry; and
said lazy-load program instruction is executed.
23. Apparatus as claimed in
24. Apparatus as claimed in
26. A computer program stored on a non-transitory, computer program storage medium to control operation of an apparatus as claimed in
27. A computer program stored on a non-transitory, computer program storage medium to control operation of an apparatus as claimed in
said processing circuitry is operating in said first security mode; and
said protection flag has said value indicative of triggering of said protection response.
|
This application is the U.S. national phase of International Application No. PCT/GB2016/051526 filed May 26, 2016, which designated the U.S. and claims priority to GB Patent Application No. 1512367.2 filed Jul. 15, 2015, the entire contents of each of which are hereby incorporated by reference.
This disclosure relates to the field of data processing systems. More particularly, this disclosure relates to data processing systems which can operate in a first security mode and in a second security mode.
It is known to provide data processing systems having a secure mode and a non-secure mode, such as processors designed by ARM Limited supporting the TrustZone architecture features. Within such systems, it is important that state data dependent upon processing performed in a secure mode should not, unless specifically desired, be accessible in the non-secure mode.
At least some embodiments of the disclosure provide apparatus for processing data comprising:
processing circuitry to operate in a first security mode and in a second security mode; and
flag circuitry to provide an access tracking flag having a first value when the processing circuitry enters the first security mode in association with a function call, wherein the processing circuitry is configured to switch said access tracking flag to a second value upon detection of a first access of at least one type to predetermined state data by the processing circuitry when operating in said first security mode in association with said function call.
At least some further embodiments of the disclosure provide a method of processing data comprising:
performing processing in one of a first security mode and in a second security mode;
providing an access tracking flag having a first value when processing circuitry enters said first security mode in association with a function call; and
switching the access tracking flag to a second value upon detection of a first access of at least one type to predetermined state data by the processing circuitry when operating in said first security mode in association with said function call.
At least some further embodiments of the disclosure provide a computer program stored on a tangible computer program storage medium in which the computer program includes at least one of a lazy-protection program instruction and/or a lazy-load program instruction.
Example embodiments will now be described, by way of example only, with reference to the accompanying drawings in which:
When the secure mode function fn1 wishes to make a function call to a non-secure function it is responsible for executing a lazy-protection program instruction VLSTM as part of its preparation for the exit from the secure mode. The execution of the lazy-protection instruction VLSTM by the processing circuitry of the processor has a number of actions. If the access tracking flag SFPA has the second value (i.e. is set at a value of “1” indicating that a floating point register access has occurred during the processing of the secure function fn1), then a protection response is prepared and a protection flag LSPACT is set to a value indicative of this protection response having been prepared. The protection response preparation includes allocating storage space within a stack memory protected from non-secure access to be used if required to store the floating point register state data. The floating point register state data is not saved out to the stack at this time, rather the space it would occupy is reserved in the stack and a pointer to that allocated space within the stack is saved.
If when the lazy-protection program instruction is executed, the access tracking flag SFPA has the first value (i.e. is set at a value of “0” indicating that the secure function fn1 has not made any floating point accesses), then there is no secure floating point state data associated with the secure function fn1 which needs protecting and accordingly no protection response is prepared and the protection flag LSPACT is not set (no space need be allocated in a secure stack memory and no pointer set). In addition to the execution of the lazy-protection program instruction VLSTM, the hardware responds to the function call switching from the secure mode to the non-secure mode by saving the value of the access tracking flag SFPA at that time for the secure function fn1 to a secure stack (e.g. stored in a memory area that is not accessible in non-secure mode) for the secure function fn1 via a push operation.
The function call from the secure function fn1 is made in the example of
However, if an access to a floating point register is attempted whilst the LSPACT flag is set to “1” (e.g. by a floating point instruction executed in the non-secure function fn2), then secure state protection circuitry serves to save the floating point state data of the secure function fn1 to the allocated storage area within the secure state memory that was set up (prepared) by the lazy-protection instruction VLSTM previously executed, and then clear the floating point registers before permitting the access to the floating point registers by the non-secure function fn2. The secure state protection circuitry performs the protection response which has previously been prepared by the lazy-protection VLSTM as it detects that the protection flag LSPACT has been set (e.g. has a value of “1”) indicating that the floating point registers do contain state data dependent upon processing by the secure function fn1 and that a protection response has been prepared for that floating point state data by allocating space within the secure stack and saving a pointer to that allocated space for use in the push operations saving the floating point state data of the secure function fn1.
When the protection response has been performed, the protection flag LSPACT is reset (e.g. to a value of “0”) as the secure floating point state data has been saved and cleared and accordingly subsequent floating point accesses which occur during processing of the non-secure function fn2 need not trigger further protection responses for that secure floating point state data.
As illustrated in
Conversely, should the access tracking flag have the second value (e.g. SFPA=“1”) and the protection flag not be set (e.g. LSPACT=“0”) when the lazy-load program instruction VLLDM is executed, then this indicates that there was secure floating point state data in place when the secure function fn1 was exited and that a protection response was triggered subsequent to executing the VLSTM and prior to execution of the VLLDM instruction. Accordingly, the VLLDM program instruction in this circumstance triggers a restore response which restores the secure floating point state data from within the secure stack (a pop) indicated by the saved pointer value as a floating point register pop operation.
In this way, it will be seen that flag circuitry provides an access tracking flag SFPA which has a first value (e.g. SFPA=“0”) when the processing circuitry enters the secure mode (a switch is made from the non-secure function fn0 to the secure function fn1) in association with a function call. The flag circuitry then serves to monitor access to the floating point registers occurring during the processing of the secure function fn1 and switches the access tracking flag to a second value (SFPA=“0”) should an access to the floating point registers occur. The accesses to the floating point registers which are tracked may take the form of any read or write access to those floating point registers. Some type of accesses may be performed without switching the value of the access tracking flag, as they do not result in the floating point state data containing any information dependent upon the secure mode processing in a way which would compromise potential security. Accordingly, the accesses which are tracked are of at least one type. The access tracking flag provided in this way permits mechanisms such as the lazy-protection and lazy-load previously described to be implemented so as to provide protection to the state data without incurring unnecessary time and energy overhead when this protection is not needed. It will be appreciated that the example of
It will be appreciated by someone skilled in the art that although
Other example embodiments are also possible, such as embodiments in which the deallocation of the stack space is performed by a separate instruction executed after the VLLDM instruction, and VLLDM takes a register parameter that specifies the location where the floating point state may have been saved to.
Following step 120, step 122 serves to clear the floating point registers which have now been saved. Step 124 then serves to reset the protection flag (e.g. set LSPACT=“0”). This indicates that any protection action which was prepared has now been taken and accordingly need not be repeated should a subsequent access attempt be made to secure floating point state data.
Following step 124, or if the determination at step 118 was that the protection flag was not set, processing proceeds to step 126 where a determination is made as to whether or not the processor is currently operating in the secure mode. If the processor is operating in the secure mode, then step 128 determines whether or not the access tracking flag SFPA currently has the first value (e.g. SFPA=“0”). If the access tracking flag does have the first value, then this indicates that the access detected at step 116 is the first floating point access to occur during the secure mode processing and accordingly step 130 serves to set the floating point configuration (e.g. rounding modes, floating point exception handling etc.) to a default configuration as well as switching the access tracking flag to the second value (e.g. SFPA=“1”). Following step 130, or following steps 126 and 128 if their determinations are negative, processing proceeds to step 132 where the floating point access attempted at step 116 is permitted. Processing then returns to step 116 is to await the next attempted floating point register access.
Other example embodiments are also possible, such as embodiments in which the VLSTM instruction serves to trigger the state protection circuitry to push the secure floating point state data straight away. Another option is that a separate instruction executed prior to the VLSTM instruction serves to allocate the stack space and VLSTM takes a register parameter that specifies the location of that allocated space.
In some example embodiments a lazy-unprotect program instruction may be provided that when executed disables the protection response when the processing circuitry is operating in the secure mode and the protection flag is still set (e.g. LSPACT=“1”).
Associated with the floating point circuitry are a flag controller 174 (flag circuitry) and secure state protection circuitry 176. These circuits have the functions previously described. These circuits both maintain and respond to the access tracking flag SFPA and the protection flag LSPACT as previously described. Furthermore, storage is provided for a pointer to the area within a stack memory 178 that is allocated at runtime (within the main memory 156) to store the secure floating point state data should this be necessary.
Although illustrative embodiments have been described in detail herein with reference to the accompanying drawings, it is to be understood that the claims are not limited to those precise embodiments, and that various changes, additions and modifications can be effected therein by one skilled in the art without departing from the scope and spirit of the appended claims. For example, various combinations of the features of the dependent claims could be made with the features of the independent claims.
Grocutt, Thomas Christopher, Craske, Simon John
Patent | Priority | Assignee | Title |
11100254, | Dec 05 2018 | Micron Technology, Inc.; Micron Technology, Inc | Processors with security levels adjustable per applications |
Patent | Priority | Assignee | Title |
5970246, | Sep 11 1997 | Freescale Semiconductor, Inc | Data processing system having a trace mechanism and method therefor |
6560698, | May 07 1999 | GLOBALFOUNDRIES Inc | Register change summary resource |
20090172411, | |||
20090320048, | |||
20110138464, | |||
20120036341, | |||
20130205403, | |||
20130227704, | |||
20140123320, | |||
20140298026, | |||
20140373171, | |||
20150371036, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
May 26 2016 | ARM Limited | (assignment on the face of the patent) | / | |||
Dec 06 2017 | CRASKE, SIMON JOHN | ARM Limited | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 044483 | /0058 | |
Dec 08 2017 | GROCUTT, THOMAS CHRISTOPHER | ARM Limited | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 044483 | /0058 |
Date | Maintenance Fee Events |
Dec 26 2017 | BIG: Entity status set to Undiscounted (note the period is included in the code). |
May 23 2023 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Date | Maintenance Schedule |
Dec 10 2022 | 4 years fee payment window open |
Jun 10 2023 | 6 months grace period start (w surcharge) |
Dec 10 2023 | patent expiry (for year 4) |
Dec 10 2025 | 2 years to revive unintentionally abandoned end. (for year 4) |
Dec 10 2026 | 8 years fee payment window open |
Jun 10 2027 | 6 months grace period start (w surcharge) |
Dec 10 2027 | patent expiry (for year 8) |
Dec 10 2029 | 2 years to revive unintentionally abandoned end. (for year 8) |
Dec 10 2030 | 12 years fee payment window open |
Jun 10 2031 | 6 months grace period start (w surcharge) |
Dec 10 2031 | patent expiry (for year 12) |
Dec 10 2033 | 2 years to revive unintentionally abandoned end. (for year 12) |